diff options
| author | Vincent Palatin <vpalatin@chromium.org> | 2018-06-29 15:12:05 +0200 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2018-06-29 14:16:33 -0700 |
| commit | 281a76997acdf79836ef6419a34ec75366cf2971 (patch) | |
| tree | 44e9f52fdd224e0d907203e3722f36782f8dbff2 | |
| parent | d12f9cd5a0a75b2de647f3e65b3f08a7ec24f755 (diff) | |
| download | chrome-ec-281a76997acdf79836ef6419a34ec75366cf2971.tar.gz | |
host_command: fix the memmap fix
The newly added size check must be performed against args->response_max
(aka the size of the response buffer) rather than args->response_size
(the actual size of the response which is always 0 when the handler is
called).
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=none
BUG=chromium:855972
TEST=make buildfuzztests -j
echo AwcAAAAAeg== | base64 -d > crash
ASAN_OPTIONS="log_path=stderr" \
build/host/host_command_fuzz/host_command_fuzz.exe ./crash
TEST=On Nocturne, run 'ectool --name=cros_fp version', no longer see a
spurious 'EC result 3 (INVALID_PARAM)'
Change-Id: I798d1dad2424398561d240a3b8190e4d0219339d
Reviewed-on: https://chromium-review.googlesource.com/1120251
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
| -rw-r--r-- | common/host_command.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/common/host_command.c b/common/host_command.c index 9fbd2efffb..cad9fd94a9 100644 --- a/common/host_command.c +++ b/common/host_command.c @@ -534,7 +534,7 @@ static int host_command_read_memmap(struct host_cmd_handler_args *args) uint8_t size = p->size; if (size > EC_MEMMAP_SIZE || offset > EC_MEMMAP_SIZE || - offset + size > EC_MEMMAP_SIZE || size > args->response_size) + offset + size > EC_MEMMAP_SIZE || size > args->response_max) return EC_RES_INVALID_PARAM; /* Make sure switch data is initialized */ |